Estimated reading time: 6 minutes
We’ve reported that insurance giant Aflac filed an SEC 8-K form in June to disclose that a hacker had used “social engineering” to gain “unauthorized access to its network.” Interestingly, at least for cyber insurance nerds such as us, Aflac did not file an “Item 1.05” 8-K for a “material” cyber event, but rather an “Item 8.01 Other Events” 8-K, a catch-all disclosure. We explained the distinction between those two types of 8-Ks forms and why it’s important in this recent post.
To sum it up, Aflac was disclosing a cyber event, but indicating it had not determined whether it was “material,” often defined as information representing a “substantial likelihood that a reasonable investor would consider it important” in making an investment decision. Companies have to determine whether a cyber event is “material” as soon as possible, and once they do have four business days to file an “Item 1.05” 8-K. If the company doesn’t yet know, or thinks the event was not material, it can choose to file an “Item 8.01,” but is not mandated to do so under the cyber regs.
We thought Aflac would quickly reveal whether the hack was material and provide more details on it by filing another 8-K, or at latest in its early August quarterly earnings report. Well, they did the latter, which you can see below. The impact from hack seems serious, but was it “material?” It seems to us Aflac is still saying it doesn’t know.
From Aflac’s 10-Q quarterly report (August 5th):
“The Company experienced a cybersecurity incident in June 2025, which could result in a number of potential outcomes, including, but not limited to, additional costs and expenditures, litigation, regulatory investigations or enforcement actions, or reputational harm, any of which could have an adverse effect on the Company’s financial condition or results of operations. [Boldface from Aflac filing.]
2025 Cybersecurity Incident
As part of the June 2025 cybersecurity incident, the Company is aware of the exfiltration of certain data, including claims information, health information, social security numbers and/or other personal information, relating to a substantial number of customers, beneficiaries, employees, agents, and other individuals in the Company’s U.S. business.
The Company has incurred certain costs and may, depending on future developments, incur additional costs, including but not limited to costs associated with providing credit monitoring, identity theft protection, and Medical Shield to impacted individuals and maintaining a call center related to the provision of such services; incident response costs; expenses arising from potential litigation, governmental investigations, or enforcement actions; expenses related to compliance, finance, and legal advisory services; elevated cybersecurity insurance premiums; and costs incurred in meeting evolving legal and regulatory requirements concerning cybersecurity governance, monitoring, and disclosure. In addition, governmental investigations, private litigation or other claims could result in fines, other monetary relief, or injunctive relief.
If, as a result of any such governmental investigation, other investigation or claim, the Company is found to be in violation of applicable laws and regulations including, without limitation, any applicable data privacy and information security laws or regulations, the Company could be subject to legal risk, including government enforcement action and civil litigation, which could adversely affect the Company’s business, reputation, financial condition or results of operations.
Defending any such litigation claim or enforcement action, regardless of merit, and whether successful or unsuccessful, and cooperating with regulatory investigations, could be expensive and time-consuming and adversely affect the Company’s business, reputation, results of operations or financial condition. In addition, the Company may be adversely impacted by reputational harm or a loss of confidence in the security and integrity of our information technology systems among customers, beneficiaries, employees, agents, and others.”
Cyber Insurance News post from July 28, 2025:
Insurance giant Aflac will report its Q2 financial results on August 5th. Although its press release is silent on the topic, it seems likely the company cannot duck providing more detail on the cyber event 8-K it filed with the SEC last month, disclosing “unauthorized access to its network.” The company has blamed the penetration on “social engineering,” or hacks where an attacker tricks an employee into providing a password or other means of penetrating the target’s IT system. Public reports link the Aflac incident to a hacker group that’s hit other insurers over recent months; see our report on the Scattered Spider incidents here.
Aflac Filed Cyber Event 8-K Disclosure on June 20th
Public companies must file 8-K reports on cybersecurity events within four working days of determining the event was “material.” Eight days after its hack, Aflac filed an 8-K report with the SEC:
“On June 12, 2025, Aflac Incorporated, a Georgia corporation (the “Company”), identified unauthorized access to its network. The Company promptly initiated its cybersecurity incident response protocols and believes that it contained the intrusion within hours. The Company’s business remains operational, and its systems were not affected by ransomware. The Company continues to serve its policyholders as it responds to this incident and can underwrite policies, review claims, and otherwise service customers as usual. The Company has engaged leading third-party cybersecurity experts to support the Company’s response to the incident.
The Company has commenced a review of potentially impacted files. That review is in its early stages. The Company is unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. The Company anticipates notifying regulators and providing appropriate notifications to individuals affected by this incident. Individuals will be offered free credit monitoring and identity theft protection services.
At this time, the full scope and potential ultimate impact on the Company are not known.”
Get The Cyber Insurance News Upload Delivered
Every Sunday
Subscribe to our newsletter!
Insurer Provides More Details on Cyber Attack in Public Statement
While Aflac’s 8-K claimed the ultimate impact on the company was unknown, Aflac has revealed some more details in an undated statement on its Web site (similar information has been shared with its clients): “…(O)ur preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to our network…While our teams work to review the potentially impacted data and determine the specific information involved, we are offering any individual who contacts our dedicated call center free credit monitoring and identity theft protection, and Medical Shield for 24 months.”
This announcement seems sure to have ruffled the feathers of some customers and their lawyers; litigation often follows such disclosures. We’ll probably learn more on August 5th, as it’s not uncommon for companies to follow a cyber event 8-K with more details in subsequent public filings and reports. See Lee Enterprises for a recent cyber disclosure example.
RELATED POSTS
